590 tests passing — 7 layers — zero hallucinations

Trust the code
Ship with proof

AI writes code fast. But fast doesn't mean safe. CodeTrust runs every line through 7 verification layers — catching hallucinated packages, broken configs, anti-patterns, and SQL issues before they hit production. Built by one engineer. Backed by 590 tests.

Install for VS Code See the proof
$ pip install codetrust copied
The Problem

AI code ships untested,
unchecked, unverified

Copilot generates a package import. It looks right. It compiles. But the package doesn't exist — it was hallucinated. Your Docker image references a tag that was never published. Your SQL migration uses FLOAT for money and drops FK constraints without a safety net.

Every linter checks syntax. Nobody checks trust.

BLOCK

Hallucinated packages

AI invents package names that sound real but don't exist on PyPI, npm, or crates.io — your build breaks in CI, or worse, you install a typosquatted package

BLOCK

Ghost Docker images

Base images with non-existent tags — you find out when the Dockerfile fails to build at 2AM on deploy night

WARN

Silent anti-patterns

eval(), hardcoded secrets, mutable defaults, bare excepts — code that passes linting but fails in production

BLOCK

Dangerous SQL

DELETE without WHERE, FLOAT for monetary values, GRANT ALL on production — AI doesn't understand consequences

Proof

Real scan, real output

Actual deep scan API response — hallucinated package caught, anti-patterns flagged, verdict delivered

codetrust — POST /v1/scan/deep
$ curl -X POST /v1/scan/deep -d '{"code": "...", "filename": "app.py"}'

{
  "verdict": "BLOCK",
  "total_findings": 5,
  "findings": [
    {
      "rule_id": "package_not_found",
      "severity": "BLOCK",
      "message": "Package 'flask-restplus' not found on PyPI"
    },
    {
      "rule_id": "hardcoded_secret",
      "severity": "BLOCK",
      "message": "Possible hardcoded secret — use env variables"
    },
    {
      "rule_id": "high_complexity",
      "severity": "WARN",
      "message": "Cyclomatic complexity 14 exceeds threshold"
    }
  ],
  "packages": [
    { "package": "flask", "status": "VERIFIED" },
    { "package": "flask-restplus", "status": "NOT_FOUND" }
  ]
}
Hallucinated package caught before it reached production
Architecture

7 layers — each catches what
the last one can't

Code enters at Layer 1. If it survives all 7, it ships. If not — you know exactly why

01

Static Analysis

Regex engine. 28+ rules. Catches secrets, eval, injection, debug statements.

~2ms per file
02

SQL Analysis

13 dedicated rules for .sql files. SELECT *, DELETE without WHERE, FLOAT for money, GRANT ALL.

shipped in v1.6.0
03

AST Analysis

Tree-sitter structural parsing. Complexity, nesting depth, unused variables, unreachable code.

Python · JS · TS · Go · Rust
04

Package Verification

Live registry checks. Every import verified against PyPI, npm, crates.io, Go proxy.

catches hallucinated packages
05

Docker Verification

Validates base images and tags exist on Docker Hub and GHCR before you build.

no more ghost images
06

Enterprise Checks

Repo structure audit. README, LICENSE, tests, .gitignore, CI config.

production-readiness gate
07

Deep Scan

All layers orchestrated in a single pass. One endpoint. Complete verdict.

POST /v1/scan/deep
What we catch

28+ rules across every layer

BLOCK stops the pipeline — WARN flags risk — INFO improves

hardcoded_secret
Hardcoded API keys, tokens or passwords — use environment variables
BLOCK
eval_exec
eval/exec opens arbitrary code execution — use safe alternatives
BLOCK
sql_injection
String-formatted queries — use parameterized queries
BLOCK
pickle_load
Unsafe deserialization with untrusted data
BLOCK
package_not_found
Import doesn't exist on any registry — AI hallucination caught
BLOCK
high_complexity
Cyclomatic complexity exceeds threshold — refactor needed
WARN
bare_except
Bare except catches KeyboardInterrupt — catch specific exceptions
WARN
mutable_default
Mutable default argument — use None and assign inside function
WARN
wildcard_import
from module import * — reduces clarity and breaks tooling
WARN
deep_nesting
Nesting depth exceeds 4 levels — extract to functions
WARN
docker_image_not_found
Base image or tag doesn't exist on Docker Hub
BLOCK
missing_readme
No README in repository — enterprise readiness blocked
BLOCK
sql_delete_no_where
DELETE without WHERE — will remove all rows
BLOCK
sql_grant_all
GRANT ALL gives excessive privileges on production
BLOCK
Coverage

One tool, every stack

Python JavaScript TypeScript Go Rust SQLnew Dockerfile
Get Started

Three ways in

PyPI

Python 3.12+. MCP server or CLI.

pip install codetrust View on PyPI →

VS Code Extension

Real-time scanning. Works with Copilot.

ext install SaidBorna.codetrust View on Marketplace →

Cloud API

REST API. No install. POST your code.

POST /v1/scan/deep Check API status →

AI writes fast
CodeTrust verifies it's right

590 tests, 7 verification layers, 28+ rules. Zero tolerance for hallucinated packages — built and maintained by one engineer who refuses to ship unchecked code

Install for VS Code pip install codetrust